Re: How to create a SAN certificate

David von Oheimb <dev@xxxxxxxx> · Sat, 21 May 2022 21:43:10 +0200

Since OpenSSL 3.0,
one can use the -copy_extensions` option of openssl req to copy over any SANs contained in the CSR to the cert being created
or use -addext to directly specify extensions without the need to use a config file,
or simply use the -x509 and -subj options to build a cert from scratch (without using a CSR) and add extensions on-the-fly, e.g., 
	openssl req -x509 -subj "/CN=test" -key ../prepare2/ca.key -addext "subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt
or use the -new option of openssl x509 to build a cert from scratch (without using a CSR) and add extensions on-the-fly, e.g., 
	openssl x509 -new -subj "/CN=test" -key ee.key -extfile <(printf "subjectAltName = IP:1.2.3.4, DNS:test.com") -out ee.crt

Otherwise, as mentioned in the first answer quoted below, the classical way involves a config file - for details see the manual file.

Yet even with older OpenSSL versions (such as 1.1.1f) you can do without using a config file, e.g.,
	openssl x509 -req -signkey ee.key -in ee.req -extfile <(printf "subjectAltName = IP:1.2.3.4, DNS:test.com") -out ee.crt
or
	openssl req -x509 -new -key ee.key -subj "/CN=test" -addext "subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt

HTH,
	David

On Sat, 2022-05-21 at 06:45 -0400, Michael Richardson wrote:

Henning Svane <hsv@xxxxxxxxx> wrote:
    > I am using OpenSSL 1.1.1f Is there a way to make a SAN certificate
    > based on the CSR I have created in Exchange.  I need a self-signed
    > certificate for testing.

I'm not exactly sure what you think a SAN certificate is.
I guess one with a SubjectAltName extension.  Mostly, all certificates have
that these days, but whether or not the Subject is entirely filled out is a
different question.

To form a self-signed certificate from a CSR, use openssl req.
You may need a configuration file, serial number, expiry and algorithm.
You'll need access to the private key.

See:  https://datatracker.ietf.org/doc/html/draft-moskowitz-ecdsa-pki#section-4.2

Some of us maintain a document on generated test CAs for ECDSA and EDDSA
key types at:  https://github.com/henkbirkholz/draft-moskowitz-ecdsa-pki
while it is in the form of an IETF ID, it is not intended for publication.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@xxxxxxxxxxxx  http://www.sandelman.ca/        |   ruby on rails    [

Attachment:
signature.asc

Description: This is a digitally signed message part